Malicious hackers believed to be working on behalf of the Chinese government have been exploiting a high-severity zero-day vulnerability in the Versa Director, a virtualization platform used by US-based internet service providers (ISPs). The attackers infected at least four US-ISP networks with malware that steals login credentials entered by customers. The attack allows the hackers to gain remote administrative control of the affected systems.
The vulnerability, tracked as CVE-2024-39717, is an unsanitized file upload vulnerability that enables the injection of malicious Java files running on the Versa Director systems with elevated privileges. All versions of Versa Director prior to 22.1.4 are affected.
The hackers gained initial access to the affected systems through compromised small office and home office (SOHO) routers, which were exploited due to unpatched ports. The attackers then installed a custom web shell called “VersaMem” that allows them to capture login credentials as customers enter them. Once in possession of the credentials, the hackers attempt to compromise the customers.
The attack is considered highly significant due to its severity and potential consequences. It is essential for affected ISPs and their customers to take immediate action to patch the vulnerability and implement system hardening and firewall guidelines to prevent future exploitation.
Source: https://arstechnica.com/security/2024/08/hackers-infect-isps-with-malware-that-steals-customers-credentials/